Evaluating distributed ledger technology

This information sheet (INFO 219) is for both existing licensees and start-ups that are considering operating market infrastructure, or providing financial or consumer credit services, using distributed ledger technology (DLT) or blockchain.

DLT and blockchain are often used interchangeably. We will refer to 'DLT', a slightly broader term that includes the blockchain concept.

You may obtain guidance about whether you need a licence by going to the licensing links at the end of this sheet, or contact ASIC through the Innovation Hub page.

We have included an assessment tool to help you identify the questions we are likely to ask when assessing whether your use of DLT allows you to meet your regulatory obligations: see Appendix 1.

Not all business models using DLT will be regulated by ASIC. You may also want to consider whether your business model falls under the regime of another regulator. You will find links to a number of Australian regulators at the end of this information sheet.

Why has ASIC developed this information sheet?

In the last few years, there has been intense interest in DLT from operators of financial market infrastructure, financial institutions, financial services providers and innovative financial technology (fintech) firms around the world.

To date, we have seen DLT used in foreign exchange remittance payments, securities settlement systems, debt issuance programs and digital identity initiatives. Internationally, DLT is being deployed in an even wider range of use cases including arrangements to support private securities transactions, interbank payments, and netting services for repo and foreign currency markets.

We expect that the range of potential applications of DLT will grow exponentially over time. This could have far-reaching implications for our stakeholders, and affect the way these entities operate and the structure of the market in which they offer their services.

Although DLT is still an emerging technology, we have given, and will continue to give, considerable thought to regulatory issues that may arise if you are contemplating using DLT for your business. This information sheet is designed to help you better understand the regulatory considerations we have identified.

What is ASIC’s regulatory framework?

Broadly speaking, our regulatory framework already requires entities to have adequate technological resources and risk management arrangements, as well as the necessary human resources and organisational competence. These obligations are summarised in Appendix 2. Our historical approach is that these types of obligations are 'technology neutral' and the discussion in this information sheet has this position as its starting point.

This information sheet is designed to help both ASIC and interested parties evaluate whether the use of DLT would allow an entity to meet its regulatory obligations, as well as to fast track any discussions those entities choose to have with ASIC about their potential regulatory obligations.

At this stage, we believe the existing regulatory framework is able to accommodate the DLT use cases we have seen. However, as DLT matures, we anticipate that additional regulatory considerations may arise. These are most likely to be resolved with early and collaborative dialogue between ASIC and the industry. This information sheet is intended to form part of that dialogue.

What is distributed ledger technology?

DLT is a specific configuration of technology components that records and tracks information in a 'distributed' (as opposed to 'centralised') manner. This configuration enables participants of the network to have secure access to a consistent view of the information on the ledger at any point in time – with that view limited by their individual access privileges. This configuration and associated cryptography also offers the potential for the information to be more securely stored and accessed in a tamper-proof manner.

Key elements of DLT typically include:

a distributed ledger – that stores a verified set of records which are replicated and shared across a network of participants. The DLT may be configured to share all or a selected set of records, depending on the security requirements and business model being operated

a network of participants – also known as 'nodes' that are connected to the network and have access to the ledger. These nodes may or may not require authorisation to access the DLT ledger – this would be dependent on the particular configuration and governance arrangements underpinning the business model

a consensus mechanism – is an algorithm or set of algorithms that nodes execute to verify and agree on records that are posted to the ledger, thus achieving consensus on the validity of each record

cryptography – a set of mathematical algorithms that are applied to records on the ledger to ensure secure storage and privacy.

DLT can be designed and configured in a variety of ways to suit the business model in question. It can, for example, be configured to operate with or without a central administrator, with these decisions determined by the operational and governance requirements for the particular proposal.

What is ASIC’s approach to fintech developments?

Our approach to developments in the fintech sector is to work to harness opportunities and economic benefits, not stand in the way of innovation and development. At the same time, we need to mitigate any potential risks of new business models through the use of new technologies. To support these objectives, we have undertaken a number of initiatives.

Current licensees: Our experience to date is that a critical mass of established institutions within our financial market are well advanced in their consideration of DLT, and what it may mean for their business – both as an opportunity and a commercial threat. We continue to engage extensively with a wide number of these organisations as they evaluate various use cases and consider their potential impact on specific services within the market and the structure of the market more broadly.

Innovation Hub: For new businesses, we have established the Innovation Hub to help fintech start-ups developing innovative financial products or services to navigate our regulatory system.

Fintech licensing exemption: We have released two class waivers to allow eligible businesses to test specific services and/or products for up to 12 months with up to 100 retail clients without holding an Australian financial services (AFS) or credit licence. For further information on how the exemptions work and how to rely on them, please refer to Regulatory Guide 257Testing fintech products and services without holding an AFS or credit licence (RG 257).

Engagement: We also continue to engage more broadly with both the industry and fellow regulators, both here and overseas. For example, domestically, we have established the ASIC Digital Finance Advisory Committee (DFAC) which draws members from fintech firms, academia and consumer groups. Internationally, we have signed a number of fintech-related memoranda of understanding (MOUs) with overseas regulators from countries including the United Kingdom, Kenya, Singapore and Canada.

What should you do if you are considering DLT?

We set out below six questions that will help you and ASIC to evaluate the use of DLT for your business. These questions are asked in the context of the existing requirement for infrastructure operators, and financial services and credit licensees, to have adequate technological resources, risk management arrangements, and adequate human resources. We consider this includes having the expertise to understand the technology and ensure any risks are able to be identified and mitigated.

We encourage you to consider the questions and their application to your new or existing service. A summary of the questions and our reasons for asking them is set out below. A more detailed version is set out in Appendix 1.

1. How will the DLT be used?

We would like to understand the problem the DLT is trying to solve and your assessment of the commercial landscape and context in which it is proposed. This will help ASIC to more quickly identify the relevant regulatory issues and whether or not we have considered them previously.

We would also like to understand the proposed rules for users to access the DLT-based service and other design features, including what information will be held on the DLT ledger and whether smart contracts will be used. These details will help ASIC to quickly understand your proposal.

2. What DLT platform is being used?

There are a range of different DLT platforms that can be used and each has its own features, strengths and limitations. We would like to understand why you selected the particular platform and what work has been done to test it in the context of the use case proposed.

For example, do the risk controls ensure that the interests, rights and liabilities of investors and consumers can be accurately determined at any time? Also, does the DLT mitigate the risk of susceptibility to fraud? It is important that the DLT platform used is robust, reliable and secure and this information will help ASIC and you to quickly form that view.

3. How is the DLT using data?

DLT essentially creates a validated distributed ledger of information drawn from data. It is important to know where that data is coming from and what rules and security arrangements are in place to enable certain users (including, potentially, regulators) to see it, and where appropriate, to keep it private from others. This information will help ASIC and you to quickly evaluate whether sharing data held on the ledger is appropriate and effective.

4. How is the DLT run?

The governance model of the DLT-based service is critical to understanding the risks those using it are exposed to, and the steps taken to mitigate those risks. This includes the rules for the interaction of users as well as the arrangements in place for ownership and control.

Examples include the type of consensus mechanism proposed for participants to determine the true record of information when there is inconsistency. These questions will help ASIC and you to quickly evaluate whether the governance of the DLT is fair and robust.

5. How does the DLT work under the law?

Although DLT can allow entities to transact without the need for external mechanisms for conflict resolution, the DLT-based service will remain subject to the legal and regulatory framework of the relevant jurisdiction. In Australia, as with many jurisdictions, there are scenarios where the legal system does not permit enforcement of a contract solely on its terms. The DLT will need to be flexible enough to accommodate this.

For example, insolvency laws provide for clawback of transactions in certain circumstances, even where the contract in question may have contemplated those transactions occurring. It will be important to ensure that the DLT-based service is able to operate within the law, and these questions will help ASIC and you to quickly determine that this is the case.

6. How does the DLT affect others?

We would like to understand the possible impact your DLT-based service may have on others. For example, how scalable is your proposal? Where the solution is considered highly scalable, what risk trade-offs (if any) have been identified to enable this? We are interested in these questions because any DLT-based service will typically operate within a broader market environment and the impact of its success or failure has the potential to also affect people who do not directly use the service.

For these reasons, we would also like to understand whether any steps have been taken to enable ‘interoperability’ between the specific service and others, and whether consideration has been given to the management of a default by a customer, participant or the service provider. These types of questions will help ASIC and you to quickly determine the role your DLT-based service could play in the efficient and effective operation of the broader market ecosystem.

Next steps?

If you are an innovative fintech considering the use of DLT and you want to discuss your proposed business model with ASIC, contact us via the Innovation Hub or through your established ASIC channels. Further, whether or not you meet with ASIC about your proposed business model, you should consider obtaining legal advice to determine whether you will be operating the facility or providing the services with the proper authorisations. It is important that you do your own research on the technology (or the firm offering to provide the technology services) and take the time to seek independent advice to discuss your options.

Important notice

Please note that this information sheet is a summary giving you basic information about a particular topic. It does not cover the whole of the relevant law regarding that topic, and it is not a substitute for professional advice. You should also note that because this information sheet avoids legal language wherever possible, it might include some generalisations about the application of the law. Some provisions of the law referred to have exceptions or important qualifications. In most cases your particular circumstances must be taken into account when determining how the law applies to you.

This is Information Sheet 219 (INFO 219), issued in March 2017. Information sheets provide concise guidance on a specific process or compliance issue or an overview of detailed guidance.